Sunday, June 29, 2014

A quick way to upgrade your host to the newest version at the time of this article, ESXi 5.5 U1 has a few requirements:

Valid DNS servers on your ESXi hosts.
Internet access on the ESXi hosts.
Does require a reboot, just as with normal host.
Before attempting the update, be sure to either disable the ESXi firewall (esxcli network firewall set -e false) or enable the correct firewall rule httpClient. (esxcli network firewall ruleset set -e true -r httpClient). This rule allows both TCP/80 (HTTP) and TCP/443 (HTTPS) outbound.

After you’ve disabled the ESXi firewall or enabled the correct rule. you can then start the update using the esxcli software profile update command. To update via the VMware online depot, use the command like this: esxcli software profile install -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140302001-standard

The -d option stands for the depot, and this points to the online (VUM) depot. But you can also use it for standalone hosts. -p points to the Image Profile included in the depot, and there are 4 versions available. I chose the 5.5 U1 standard (with tools).

The S in the image profile is a security-only update and only includes security updates. The no-tools is an image profile that does not include the VMware Tools binaries.

If you don’t have access to the online depot, due to something like company policy, you can follow the same procedure for most cases. Upload the offline depot (available on the download page here) to a datastore. Then use the command esxcli software profile update -d /vmfs/volumes/datastore1\ \(3\)/update-from-esxi5.5-5.5_update01.zip -p ESXi-5.5.0-20140302001-standard

During the upgrade, I ran into the following error:

[Exception]
You attempted to install an image profile which would have resulted in the removal of VIBs ['VMware_bootbank_vmware-fdm_5.5.0-1312298']. If this is not what you intended, you may use the esxcli software profile update command to preserve the VIBs above. If this is what you intended, please use the –ok-to-remove option to explicitly allow the removal.
Please refer to the log file for more details.

Saturday, June 28, 2014

To change a GUID partition table disk into a master boot record disk using command line
Back up or move all volumes on the basic GUID partition table (GPT) disk you want to convert into a master boot record (MBR) disk.

Open an elevated command prompt and type diskpart. If the disk does not contain any partitions or volumes, skip to step 6.
At the DISKPART prompt (right-click Command Prompt, and then click Run as Administrator), type list disk. Make note of the disk number you want to delete.
At the DISKPART prompt, type select disk.
At the DISKPART prompt, type clean.

Important: Running the clean command will delete all partitions or volumes on the disk.

At the DISKPART prompt, type convert mbr.

list disk: Displays a list of disks and information about them, such as their size, amount of available free space, whether the disk is a basic or dynamic disk, and whether the disk uses the master boot record (MBR) or GUID partition table (GPT) partition style. The disk marked with an asterisk (*) has focus.

select disk: Selects the specified disk, where disknumber is the disk number, and gives it focus.

Media Label: IMG000001
GRT backup set folder: E:\BEData\IMG000001
Transport mode 'nbd' was used for the disk 'WebProxy.vmdk'
Transport mode 'nbd' was used for the disk 'WebProxy_1.vmdk'
V-79-57344-38761 - Failed to mount one or more virtual disk images because they contained GPT style disks. Backups that were enabled for Granular Recovery Technology may not be available for restore.

Solution:

In the backup job deselect the option "Use Backup Exec Granular Recovery Technology (GRT) to enable the restore of individual files and folders from virtual machines" under Settings-VMware Virtual Infrastructure.

To simulate a virtual machine is gone completely, I build a fresh install virtual machine with Windows 7 and try to restore the system from the backup:

It took about 10 minutes to restore from the backup. However, the system could not be booted up and it shows the Blue Screen of Death. The solution and the proper procedure is to use a backup exec recovery disk (a .ISO image) to boot up the machine then restore from the Backup Exec server.

Sunday, June 22, 2014

This is just an example of the progress of time and the evolution of networking equipment. Back in the day it used to be mandatory to use a crossover cable between switches and routers and between some servers and hubs, but modern equipment can autosense the connection type and change it's mdx configuration on a per port basis. Therefore newer training materials will list a standard cable as the proper connection.

I still advise you keep a crossover cable handy though in your travels since you never know when you will meet an older piece of equipment that may require that type of connection.

Good luck with your studies,

Kailen
===
To kind of tie into what was said, you should get in the habit of always using the suggested cable type. If you don't then you could spend hours troubleshooting an issue that could have been avoided by using the correct type. It is nice when the devices auto-configure for you, but you do not want to get in the habit of relying on it.
===
To flex my newly acquired networking muscle...I will shed some light on this topic (I don't have too many networking muscles).

True, auto-sensing ports eliminate the need to think about whether you're using cross over or straight through. But, as mentioned, it is probably safer to practice good networking rules.

Note: The correct method to connect a router to a switch is by using a straight through cable. Switches and Hubs transmit on pins 3 & 6, where as pretty much any other NIC's and Router's transmit on pins 1 & 2.

So :

router to router....crossover

PC to PC....crossover

switch to switch.....crossover

PC to router....crossover

PC to switch, Router to switch, PC to Hub....straight-through
===
This topic has to do with the OSI Model.

You are dealing with the 3 bottom most layers. Network, Data Link, and Physical.

Straight through cables are used for different layer transfer(one of many uses) (e.g. Layer 2 to Layer 3)

Auto sensing ports (where available) make life a little easier by doing away with the guess work and layer thinking. I work on a network backbone, so we try not to rely on auto sensing ports to much (its just something else to fail)
===

Layer 3 Switches Explained

by DAVID DAVIS on AUGUST 30, 2007

Layer 3 switches are becoming more and more common in the Enterprise. After reading this tip, you’ll know the difference between a switch, a router, and a Layer 3 switch. You’ll also understand what to look for when shopping for Layer 3 switches.Layer 3 Switches ExplainedBy: David Davis, CCIE #9369, CWNA, MCSE, CISSP, Linux+, CEH

Let’s say that the switches in your data center or wiring closet are old. You know that you need to replace them and have heard about Layer 3 switches. But what is a Layer 3 switch, what can it do for you, and how does it differ from a regular switch or router? Let’s find out.

How do switches and routers work?

Before defining what a Layer 3 switch is, let’s make sure that we are all on common ground and understand what a regular switch and a router do.

A switch works at Layer 2 of the OSI model (data-link). It is a LAN device that can also be called a multi-port bridge. A switch switches Ethernet frames between Ethernet devices. Switches do not care about IP addresses nor do they even examine IP addresses as the frames flow through the switch. However, unlike a hub that just duplicates data and sends it out all ports, switches keep a bridge forwarding table that shows what MAC addresses have been seen on what port.

In the Cisco world, the bridge forwarding table is called a CAM Table, or Content Addressable Memory table. If a switch receives an Ethernet frame for a destination that it doesn’t have in its table, it floods that frame out to all ports (like a hub does all the time). However, the switch learns from the response of that flood and records the response to that frame in its forwarding table for the next time. Switches form collision domains. In other words, the switches “play traffic cop” with the inbound frames by buffering each packet before switching it. This way, there are no collisions and, to each device connected to the switch, it seems like that device has its own Ethernet segment and can talk at full speed, without risk of collisions.

A router, on the other hand, works at Layer 3 of the OSI model (Network). It is a WAN device that connects a LAN to a WAN or a subnetted LAN to another subnetted LAN. A router routes IP packets between IP networks. Routers do this using an IP routing table. In that table, they have either static or dynamic routes. When an IP packet comes in, the router looks up the destination IP in the IP routing table. If that destination IP is not found in the table the router drops the packet, unless it has a default route. Routers form broadcast domains because they drop broadcast packets.

How does a Layer 3 switch work?

A Layer 3 switch works much like a router because it has the same IP routing table for lookups and it forms a broadcast domain. However, the “switch” part of “Layer 3 switch” is there because:

The layer 3 switch looks like a switch. It has 24+ Ethernet ports and no WAN interfaces.

The layer 3 switch will act like a switch when it is connecting devices that are on the same network.

The layer 3 switch is the same as a switch with the router’s IP routing intelligence built in.

The switch works very quickly to switch or route the packets it is sent.

In other words, the Layer 3 switch is really like a high-speed router without the WAN connectivity.

You might be asking yourself why you would want the routing functionality of a router in your switch if you don’t have WAN interfaces. Well, the routing functionality of the Layer 3 switch is there to route between different subnets or VLANs on a campus LAN or any sort of large LAN. This means that the Layer 3 switch is really for large Ethernet networks that need to subnet into smaller networks. Most of the time, this is done using VLANs.

When it comes to Layer 3 switching, there are two kinds: hardware and software. With a hardware-based solution, the device is using an ASIC (a dedicated chip) to perform the function. With the software implementation, the device is using a computer processor and software to perform the function. Generally, Layer 3 switches and high-end routers route packets using hardware (ASICs) and general-purpose routers use software to perform routing functions.

What is a VLAN?

A VLAN is a virtual LAN. This virtual LAN is also an IP subnet. The difference between just subnetting a network and using VLANs is the flexibility that VLANs can provide for your LAN subnetting. Here is an example: Say that you have a single switch port in one VLAN, in one building. One hundred yards away, you can have another switch port, in another building. Both of those switch ports can be in the same VLAN and only those two switch ports can talk, despite the fact that they are separated by multiple buildings and are connected by a 100 yard fiber optic cable. Without a VLAN, this type of organization wouldn’t be possible.

In a traditional VLAN, switches tag the VLAN traffic, and only the devices on the same VLAN can communicate with one another. If devices on different VLANs need to communicate, they would talk to each other via a trunk port on a router. That trunk port and the processing power of the router would create a bottleneck for communications. With a Layer 3 switch, routing and trunking are performed at very high speeds.

Besides the functionality mentioned above, a VLAN has a number of other features such as:

Performance & broadcast control

Segregating departments or project networks

Security

This article can’t begin to cover all that you need to know about VLANs. What you need to know is that Layer 3 switches are used to make VLANs easier and faster. Layer 3 switches make VLANs easier to configure because you don’t need a separate router between VLANs. All the routing can be done right on the switch. Layer 3 switches make VLANs faster because they eliminate the bottleneck that results from a router forming a single link between VLANs.

Do I need a Layer 3 switch?

You should investigate getting a Layer 3 switch if you can answer yes to any of the following questions:

Do you have a network with a lot of broadcasts that needs better performance?

Do you have subnets and/or VLANs that are currently connected via a router?

Do you need higher performance VLANs?

Do departments need their own broadcast domains for performance or security?

Are you considering implementing VLANs?

Article summary

Here is what we have learned:

Routers work at Layer 3 and route IP packets between networks.

Switches work at Layer 2 and switch Ethernet frames between Ethernet devices.

For some of the higher-end Cisco switches, enabling Layer 3 switching is simply a software upgrade available for a fee.

Saturday, June 21, 2014

MikroTik RouterOS is the operating system of MikroTik RouterBOARD hardware. It can also be installed on a PC and will turn it into a router with all the necessary features - routing, firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN server and more.

RouterOS is a stand-alone operating system based on the Linux v2.6 kernel, and our goal here at MikroTik is to provide all these features with a quick and simple installation and an easy to use interface.

You can try RouterOS today, go to www.mikrotik.com and download the installation CD image. The free trial provides all of the features with no limitations. In the following pages you will find examples of some of the most important RouterOS features.
Configuration

RouterOS supports various methods of configuration - local access with keyboard and monitor, serial console with a terminal application, Telnet and secure SSH access over networks, a custom GUI configuration tool called Winbox, a simple Web based configuration interface and an API programming interface for building your own control application. In case there is no local access, and there is a problem with IP level communications, RouterOS also supports a MAC level based connection with the custom made Mac-Telnet and Winbox tools.

New in RouterOS v4 is the Lua scripting language, which opens up a multitude of approaches in automation and programming of your router.
Firewall

The firewall implements packet filtering and thereby provides security functions, that are used to manage data flow to, from and through the router. Along with the Network Address Translation it serves for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.

RouterOS features a stateful firewall, which means that is performs stateful packet inspection and keeps track of the state of network connections traveling across it. It also supports Source and Destionation NAT (Network Address Translation), NAT helpers for popular applications and UPnP.

The Firewall provides features to make use of internal connection, routing and packet marks. It can filter by IP address, address range, port, port range, IP protocol, DSCP and other parameters, also supports Static and Dynamic Address Lists, and can match packets by pattern in their content, specified in Regular Expressions, called Layer7 matching.

RouterOS also suppors Virtual Routing and Forwarding (VRF), Policy based routing, Interface based routing and ECMP routing. You can use the Firewall filter to mark specific connections with Routing marks, and then make the marked traffic use a different ISP.

Now with MPLS support added to RouterOS, VRF is also introduced. Virtual Routing and Forwarding is a technology that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. VRF also increases network security. It is often used in, but not limited to MPLS networks.
MPLS

MPLS stands for MultiProtocol Label Switching. It can be used to replace IP outing - packet forwarding decision is no longer based on fields in IP header and routing table, but on labels that are attached to packet. This approach speeds up forwarding process because next hop lookup becomes very simple compared to routing lookup.

Efficency of forwarding process is the main benefit of MPLS. MPLS makes it easy to create “virtual links” between nodes on the network, regardless of the protocol of their encapsulated data.

It is a highly scalable, protocol agnostic, data-carrying mechanism. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol.

To establish secure connections over open networks or the Internet, or connect remote locations with encrypted links, RouterOS supports various VPN methods and tunnel protocols:

• Ipsec – tunnel and transport mode, certificate or PSK, AH and ESP security protocols
• Point to point tunneling (OpenVPN, PPTP, PPPoE, L2TP)
• Advanced PPP features (MLPPP, BCP)
• Simple tunnels (IPIP, EoIP)
• 6to4 tunnel support (IPv6 over IPv4 network)
• VLAN – IEEE802.1q Virtual LAN support, Q-in-Q support
• MPLS based VPNs
This means that you can securely interconnect banking networks, use your workplace resources while travelling, connect to your home local network, or increase security of your wireless backbone link. You can even interconnect two branch office networks and they would be able to use each other’s resources, as if the computers would be in the same location - all secure and encrypted.
Wireless

A variety of Wireless technologies are suppored in RouterOS, the most basic of them being the wireless access point and client. If it’s a small hotspot network in your home, or a city wide mesh network, RouterOS will help you in all situations.

RouterOS also features the NStreme proprietary wireless protocol that allows to extend the connection range and speed, when using MikroTik routers at each end. This has helped to achieve the current non-amplified wifi link lenght world record in Italy. Also supported is NSteme dual which allows to use two antennas at each end, one for receiving and one for sending.
HotSpot

The MikroTik HotSpot Gateway enables providing of public network access for clients using wireless or wired network connections. The user will be presented a login screen when first opening their web broswer. Once a login and password is provided, the user will be allowed internet access. This is ideal for hotel, school, airport, internet cafe or any other public place where administration doesn’t have control over the user computer. No software installatin or network configuration is needed, hotspot will direct any connection request to the login form.

Extensive user management is possible by making different user profiles, each of which can allow certain uptime, upload and download speed limitation, transfer amount limitation and more.

Hotspot also supports authentication against standard RADIUS servers and MikroTik’s own User Manager which will give you a centralized management of all users in your networks.

RouterOS features a MikroTik custom made proxy server for caching web resources, and speeding up customer browsing by delivering them cached file copies at local network speed. MikroTik RouterOS implements the following proxy server features:

• Regular HTTP proxy
• Transparent proxy
• Access list by source, destination, URL and requested method (HTTP firewall)
• Cache access list to specify which objects to cache, and which not.
• Direct Access List to specify which resources should be accessed directly, and which - through another proxy server
• Logging facility
• SOCKS proxy support
• Parent proxy support
• Cache storage on external drives
RouterOS can also act as a Transparent Caching server, with no configuration required in the customer PC. RouterOS will take all HTTP requests and redirect them to the local proxy service. This process will be entirely transparent to the user, and the only difference to them will be the increased browsing speed.
Tools

To help administrating your network, RouterOS also provides a large number of small network tools to optimize your everyday tasks. Here are some of them:

Directory "/usr/local/www/cgi-bin"> - change this to the same path as ScriptAlias /cgi-bin above

Now lets tell apache to start:

# apachectl start

and hit Enter on your keyboard

We now need to tell Apache to run on startup. Please run the following command:

# echo 'apache22_enable="YES"' >> /etc/rc.conf

If you get no errors, apache should be running. Look at the page by opening a browser to http://localhost or replace localhost with the IP or the actual hostname of the box. If you went with the DocumentRoot defaults, You will see an apache test page until you get your site up and going. If you are behind a router or firewall, make sure you forward the apache port (Port 80) to the FreeBSD box otherwise you won't be able to get there from here. :-)

Now, you need to understand that one server can hold multiple certificates, but only one per listening IP address. So, if your server is listening on one IP address, you can only have one certificate for the server. Follow me so far? All of your virtual domains can share the same certificate, but clients will get warning prompts when they connect to a secure site where the certificate does not match the domain name. If your server is listening on multiple IP addresses, your virtual hosts have to be IP-based -- not name-based. This is something to consider when creating your certificate. :-)

Change to your root dir by typing in the following command. We want to save this configuration there as a backup.

# cd /root
# openssl genrsa -des3 -out server.key 1024

You will now be prompted to enter in a password. Write this down as you will need it later. We need to make a Certificate Signing Request (CSR):

# openssl req -new -key server.key -out server.csr

Enter your password when it asks for it. Make sure you enter your FQDN for the "Common Name" portion.

Self-signing your Certificate

You could always pay money to Verisign or Thawte for this but it costs $$$. Here is the way to do it:

Monday, June 16, 2014

ERROR HY000: This function has none of DETERMINISTIC, NO SQL, or READS SQL DATA in its declaration and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable)

mysql> SET GLOBAL log_bin_trust_function_creators = 1;

Note: You can also set this variable by using the --log-bin-trust-function-creators=1 option when starting the server.